Author: Manishree Bhattacharya
Two years into the global pandemic, remote working and hybrid work strategies have become normalised — part of “business as usual” for many technology workforces. Other sectors, of course, have also implemented and enabled telecommuting, in both the short- and long-term. In this environment — amidst the rush to digitally transform, enable business continuity and resilience, and drive innovation — the cybersecurity function has become even more critical.
And cybersecurity professionals have their work cut out for them. In its Global Risks Report 2022, the World Economic Forum places cybersecurity failures among the most “critical short- and medium-term threats to the world,” noting that our “growing digital dependency will intensify cyberthreats.” With malware and ransomware attacks on the rise, threat actors more persistent and threats having increasingly global implications, it’s difficult to imagine the long-term prospects of a hyper-connected digital world without a concerted focus on cybersecurity.
What’s more, executives outside of IT are realising the need for a comprehensive approach to cybersecurity as well. According to a recent Gartner survey, nearly nine out of 10 boards of directors (BoDs) classify cybersecurity threats as a business risk, rather than solely a technology risk. Despite that, Gartner notes that “only 12% of BoDs have a dedicated board-level cybersecurity committee.”
Amidst such changes, is cybersecurity perceived as an enabler in the enterprise?
By now, one would presume that cybersecurity would have firmly established itself as a business enabler in the minds of leaders and employees alike. The function must find it easy to navigate and manage issues, with frequent buy-in and few hurdles, right?
The reality is often different and more complicated, though. Despite rising awareness of the pervasiveness and ramifications of breaches, security leaders can find it challenging to manage digital transformation initiatives, hybrid IT and shadow IT. Digital transformation is at full throttle in most organisations right now; however, cybersecurity is sometimes perceived as a brake to this momentum and still not an easy plug-in.
Changing approaches and changing minds
How can we bring about a shift in mindset, not only on paper, but also on the ground? How can cybersecurity become an easy plug-in in organisations? How can other business functions best use cybersecurity to their advantage?
Cybersecurity prioritisation from the top down is key. And for security leaders, in particular, it’s also often important to put time into creating a positive security culture within their organisations.
Here are a few ways that the chief information security officer (CISO) can transition from being perceived as restrictive and prescriptive to — instead — enabling, encouraging and experience-driven, benefitting cyber and the organisation at large:
1. Implementing security by design by fully adopting development, security and operations (DevSecOps) can be a good starting point. To that end, introducing automation and containerisation into application development can make it easier for developers to code securely. In addition, understanding real-world challenges from coders and co-creating solutions (perhaps with some incentivisation) are important. Whether greenfield or brownfield digital projects, developed in-house or in collaboration with a third-party, enabling easier adoption of security design principles becomes a win-win for the security and business teams.
2. Using the power of cloud for collaboration (such as with third parties) can bring agility and security together. Adopting a zero-trust cloud collaboration model and keeping identity and data security at its core, can also provide better data visibility and be helpful from an audit standpoint.
3. Co-innovating and co-creating solutions with other business functions or external parties can help make cybersecurity a cross-functional programme. Plus, tying incentives to such programmes can create cyber champions across the organisation. An example can be offering reward points to HR for bringing in privacy features in an employee engagement platform. If an organisation is unsure of an AI project, its chief digital officer, along with the CISO, can arrange a hackathon to solve both the technology and security challenges, keeping necessary parties collaborating and aligned.
4. Making security fun and inspiring can also go a long way. Cyber awareness within the organisation can require a different, more expansive approach, as “scare-mongering” with overwhelming training materials often does not provide the desired outcome, in terms of participation and knowledge retention. Look to find creative ways to train and involve people in cyber conversations, such as through gamification, simulation, or creative videos.
5. Adopting a cyber risk quantification approach can help organisations decide what to secure (and how), where to invest and when to transfer risk. With the power of 3A (automation, AI and analytics) and dashboarding, CISOs can effectively zero in on risks that need attention and investment. This also improves communication with the board and the CFO. Presenting the right set of KPIs and correlating them with the impact on the business (finances, customer experience, etc.) can also help drop the elusiveness around security. Let data and insights be the organisation’s guiding light.
6. Adopting a cyber-resilient mindset by accepting that although attacks are inevitable, what matters is how resilient the organisation is and how soon business gets back to normal. The time is right to shift the focus from just “preventive” to also include “offensive” and “resilient.” Helping build organisations that are resilient-by-design can truly position security leaders as the flag-bearer of business enablement and continuity.
7. Communication is critical. To help security drive business growth and positive outcomes, it’s important for the CISO to emerge as a strong communicator. Establishing a communication cadence with various lines of businesses is key to understanding their vision, future projects and challenges. Using such insights, CISOs can come up with solution propositions that get easier buy-in from boards and management.
There is no denying that change, complexity and uncertainty will continue to shape the future. Time and again, the ability to transform and stay resilient will be put to test. For organisations, the ability to transform (using technology or otherwise) will help them grow and stay relevant. What’s more, the ability to emerge successfully from a cyberattack or other crisis will help foster stakeholder trust and sustain business growth.
In the next frontiers of digital-led growth, the CISO’s role as a business leader, innovator and enabler — and cybersecurity’s role as a business engine — can no longer be discounted. As organisations take steps to prioritise cybersecurity and resilience across their operations, it’s time to ask: Are we investing right to drive greater business value?
Manager, Risk Advisory, Deloitte India
Manishree has 12+ years of experience in industry insights and advisory, competitive intelligence, GTM strategy, architecting narratives and thought leadership. She has orchestrated development of several thought papers, PoVs, and industry trends report in technology and cybersecurity. Within cybersecurity, she has authored reports on security product landscape, cyber insurance, OT security, cybersecurity in pharma and retail, among many others.